PIX Configuration 6 Points

PIX1 is connected to R1 by the inside interface, and the outside interface is connected to a managed router through a 10-Mbps connection on the outside interface. Use the IP address 144.254.1.2/30 for the inside interface; the outside interface should be set to 9.1.1.1/24.

PIX1 should use RIPv2 to communicate to R1 and supply a default route to R1. (Note that with PIX 6.3 in the current exam, OSPF may be required also. Ensure that you have the skill set for OSPF as well.)

Ensure that all RIP updates are authenticated using MD5.

You can configure a static route on the PIX to network 144.254.0.0/16 through R1 and the Internet through 9.1.1.2. Note that the PIX cannot handle more than one default route.

All inside hosts should be able to ping, but only R1 is permitted to telnet to the PIX.

Configure NAT on the PIX so that inside users can reach the Internet.

PIX Configuration Solution

Example 8-30 configures the inside and outside IP address on PIX1. The host name is set to PIX1.

Example 8-30 Inside/Outside IP Address Configuration pixfirewall# config terminal pixfirewall(config)# hostname PIX1

! Set the name and security level for the PIX interfaces

PIX1(config)# nameif ethernet0 outside security0

PIX1(config)# nameif ethernetl inside security100

! enable the interfaces and set the speed

PIX1(config)# interface ethernet0 auto

PIX1(config)# interface ethernetl auto

! configure the interface IP address

PIX1(config)# ip address outside 9.1.1.1 255.255.255.0

PIX1(config)# ip address inside 144.254.1.2 255.255.255.252

Example 8-31 confirms the IP address configuration with the PIX command show interface (note that version 6.3 displays a little differently).

Example 8-31 show interface Command on the PIX

PIX1# show interface

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82558 ethernet, address is 0090.2742.ff83

IP address 9.1.1.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 10000 Kbit full duplex

166 packets input, 52434 bytes, 0 no buffer

Received 80 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored,

0

abort

83 packets output, 5872 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82558 ethernet, address is 0090.2743.01ab

IP address 144.254.1.2, subnet mask 255.255.255.252

MTU 1500 bytes, BW 10000 Kbit full duplex

34046 packets input, 2265846 bytes, 0 no buffer

Received 33958 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored,

0

abort

92 packets output, 6508 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

PIX1#

To enable RIPv2 on the PIX, enter the following command on the PIX:

rip inside passive version 2 authentication md5 secret-key key-id Example 8-32 configures the PIX Firewall for RIPv2 and MD5 authentication. Two static routes are configured, also pointing to network 144.254.0.0/8 and the Internet.

Example 8-32 RIP Version 2 Configuration on the PIX

rip inside passive version 2 authentication md5 ccie 1 rip inside default version 2 authentication md5 ccie 1 route outside 0.0.0.0 0.0.0.0 9.1.1.2 route inside 144.254.0.0 255.255.0.0 144.254.1.1

The MD5 password is set to ccie. The second configuration line supplies a default RIP route to R1. The final two commands enable static routes for the internal network and the Internet through 144.254.1.1 and 9.1.1.2, respectively.

You must now configure Router R1 for RIP authentication.

Example 8-33 configures a key chain named cisco, and the MD5 password is ccie. RIP is enabled on the Ethernet0/0 interface connecting to the inside interface on the PIX Firewall.

Example 8-33 Key Chain Configuration on R1

Hostname R1 key chain cisco key 1 key-string ccie interface Ethernet0/0 ip rip authentication mode md5 ip rip authentication key-chain cisco

To enable inside hosts to ping and telnet to the PIX, allow ICMP and Telnet to the PIX on the inside interface only. By default, the PIX will not permit ICMP and Telnet to any interface.

Example 8-34 permits ICMP and Telnet from the inside hosts.

Example 8-34 Allowing ICMP and Telnet on the PIX icmp permit any echo inside

Example 8-35 permits R1 to telnet to the PIX with the telnet command. Example 8-35 telnet Command on the PIX for R1 Only telnet 144.254.1.1 255.255.255.255 inside

Example 8-36 displays the Telnet request from R1 to the PIX Firewall; the enable password has not been set, so you simply press Return.

Example 8-36 Telnet to 144.254.1.2 from R1

R1#telnet 144.254.1.2

PIX passwd: cisco Welcome to the PIX firewall

Copyright 1996-2000 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph

(1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

Type help or '?' for a list of available commands.

PIX1> enable

Password:

PIX1#

The telnet command is used on the PIX to enable which hosts are permitted to telnet to the PIX. By default, inside hosts do not require IPSec to remotely manage the PIX, but outside hosts do. In earlier versions of PIX code, it was possible to telnet only from an inside interface. By default, the Telnet password is set to cisco. You may also, of course, use SSH rather than Telnet.

All outside hosts (hosts that are untrusted, such as Internet devices) need to be configured for IPSec to the PIX to enter the management console by Telnet. Telnet through IPSec is only required on the outside interface. In a real-life network, however, SSH should be used on the outside interface instead.

To enable NAT on all inside hosts on the PIX, the following command is first required on the PIX: nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The nat command associates a network with a pool of global IP addresses. The following is the full PIX OS syntax:

nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]] [norandomseq] nat [(if_name)] 0 access-list acl_name nat [(if_name)] 0 local_ip [netmask [max_conns [em_limit]]] [norandomseq] no nat [[(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]]]

[norandomseq] no nat [(if_name)] 0 access-list acl_name

Table 8-3 summarizes the available options with the nat command.

Table 8-3 nat Command Syntax Description

Syntax

Description

if_name

The internal network interface name.

If the interface is associated with an access list, if_name is the higher-security-level interface name.

nat_id

All nat command statements with the same nat_id are in the same NAT group. Use nat_id in the global command statement; for example:

global (outside) 1 10.1.1.0 10.1.1.254 netmask 255.255.255.224

This example associates the nat command with the global command by nat_id.

nat_id is an arbitrary positive number between 0 and 2 billion. This number can be the same as the ID used with the outbound and apply commands.

Specify 0 with IP addresses and netmasks to identify internal networks that desire only outbound identity address translation. Specify 0 with the access-list option to specify traffic that should be exempted from NAT.

access-list

Associates an access-list command statement with the nat 0 command.

local_ip

Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0.

netmask

Network mask for local_ip. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool.

max_conns

The maximum TCP connections permitted from the interface you specify.

em_limit

The embryonic connection limit. The default is 0, which means unlimited connections. Set it lower for slower systems and higher for faster systems.

norandomseq

Do not randomize the TCP packet's sequence number. Use this option only if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the PIX Firewall.

See the following Cisco.com page for more details on how NAT/PAT can be configured on a Cisco PIX:

www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm More PIX tasks appear later in this CCIE Security self-study lab.

0 0

Post a comment